CVE-2026-1078
Arbitrary File Write in Pega Browser Extension via Malicious Sites
Publication date: 2026-04-07
Last updated on: 2026-04-07
Assigner: Pegasystems Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pega | robotic_automation | 22.1 |
| pega | robotic_automation | r25 |
| pega | browser_extension | 3.1.45 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1078 is an arbitrary file-write vulnerability in the Pega Browser Extension (PBE) that affects Pega Robotic Automation versions 22.1 and R25. This vulnerability occurs when a Robot Runtime user navigates to a malicious website crafted by an attacker. The malicious website contains code that exploits the PBE, potentially allowing the attacker to write arbitrary files on the affected system.
Additionally, there is a related medium-severity vulnerability in all versions of the Pega Browser Extension that can cause unexpected behaviors such as unsolicited message boxes when users visit malicious sites.
How can this vulnerability impact me? :
This vulnerability can allow a malicious actor to execute arbitrary file writes on your system by tricking a Robot Runtime user into visiting a malicious website. This could lead to compromise of the automation environment, potentially allowing unauthorized modification or insertion of files, which may disrupt operations or lead to further exploitation.
The medium-severity issue may also cause unexpected behaviors such as unsolicited message boxes, which could be used for social engineering or to disrupt user workflows.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in Pega Browser Extension (PBE) affecting Pega Robotic Automation versions 22.1 and R25, it is strongly recommended to update to PBE version 3.1.45 or later.
Additionally, users running R25 should upgrade both Robot Studio and Robot Runtime to version 25.1.13. Users on version 22.1 only need to update the PBE without upgrading Robot Studio or Robot Runtime.
Contacting Pega Support for any questions or concerns is also advised.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects compliance with common standards and regulations such as GDPR or HIPAA.